Chapter 10 Network Access Protection 331
–Wai-O Hui
Software Development Engineer in Test, Network Access Protection
–Harini Muralidharan
Software Development Engineer in Test, Network Access Protection
Now let’s look at troubleshooting NAP 802.1X enforcement. Once again, we’ll begin on the
client side, as problems most often begin there—especially if only some clients and not all of
them have difficulties.
From the Experts: Debugging NAP 802.1x Enforcement Using
Client-Side Troubleshooting
These instructions are designed to be a support aid to diagnose Network Access
Protection issues in 802.1x enforcement. They are meant to provide additional
information to the administrator to identify the root cause of the problem and refer
to Microsoft troubleshooting procedures and related information. Network Access
29 Error The Health Registration Authority
denied the certificate request with the
correlation-id %1 at %2 for (principal: %3).
Either no Certification Authorities are
configured or none are available. Verify
the Health Registration Authority
configuration or contact its administrator
for more information.
Certification Authority
Configuration error. Verify that
Certification Authorities are
configured in HRA by doing
the following:
In a command window run
netsh nap hra show
configuration
If Certification Authorities are

configured, all of them might
be blacked out. Contact the CA
administrator, and examine
whether the current configura-
tion meets the traffic require-
ments for the network.
30 Error The Health Registration Authority was
unable to connect to the Certification
Authority to remove expired records.
The Certification Authority [ca-name]
denied the request with the following
error: [ca-error-number]. Contact the
Certification Authority administrator to
check the permissions and for more
information.
Health Registration Authority
(HRA) does not have the
proper permissions to delete
expired certificates on the Cer-
tification Authority (CA). Con-
tact the CA administrator, and
configure to grant the HRA
permission to delete expired
certificates.
Event
Number
Event
Type
Event Text Resolution Steps
332 Introducing Windows Server 2008

Protection diagnostics involve the Vista/XP client (we will use the term NAP Client to
refer to them), the 802.1x switch, and the Network Policy Server.
Is NAP the Problem?
The goal of this section is to collect the information to help classify the problem. The first
step in diagnosing the NAP system is collecting the following information for diagnosis:
1. Client Operating system and the corresponding version (Example: Is it Windows
Vista or Windows XP?)
2. Network connection information (ipconfig /all details)
3. NAP Client configuration
4. Event logs for the NAP and corresponding enforcement components
802.1x Enforcement
802.1x provides client authentication to the network devices. When diagnosing 802.1x
issues, information can be gathered from the NAP Client, the network device, and the
Network Policy Server (NPS).
NAP utilizes the PEAP authentication to pass health data, enabling the use of 802.1x as
a NAP enforcement. 802.1x NAP health policy is enforced on the network access device
through the use of VLANs, which are assigned through RADIUS attributes from NPS to
the switch.
Information Gathering
Use the following steps to gather the necessary information:
1. Open the “services.msc,” and verify that the following services are running (this
can also be verified using the command line by using the command 3c – sc query):
❑ NAP Agent
❑ EAP Host
❑ Wired AutoConfig (for wired scenarios)
❑ WLAN AutoConfig (for wireless scenarios)
2. Open a command prompt with administrator credentials, and issue the following
commands:
netsh nap client show config > C:\napconfig.txt netsh nap client show state >
C:\state.txt sc.exe query > C:\services.txt

Troubleshooting Flowchart
The following is the troubleshooting flowchart that administrators can use to debug the
802.1x NAP system.
Chapter 10 Network Access Protection 333
Yes
No
Yes
Verify that Network
Access Protection Agent
is started and running
Verify that EAPHost
is started and running
Verify that dot3svc
and/or wlansvc is started
and running
Start the Network
Access Protections
Agent
Start EAPHost
Start dot3svc
and/or wlansvc
No
No
Yes
Yes
Check the event viewer
for events corresponding to
the client failure and
continue the investigation
on the server side

Verify that
Enable Quarantine Checks
in authentication settings
on the connection
is enabled
Yes
Verify that the
EAP/802.1x QEC
is enabled
No
Enable EAP/802.1x
QEC
No
Enable the
Quarantine check
on the corresponding
connection
334 Introducing Windows Server 2008
Detailed Investigation
The administrator has to first verify the configuration of the client:
1. The following services are enabled:
❑ Network Access Protection Agent (“napagent”)
❑ Extensible Authentication Protocol (“eaphost”)
❑ Wired AutoConfig (“dot3svc”). This service is used if the administrator is
setting up a wired 802.1x environment.
AND/OR
❑ WLAN AutoConfig (“wlansvc”). This service is used if the administrator is
setting up a wireless 802.1x environment.
2. The EAP/802.1x QEC is enabled.
3. The Enable Quarantine Checks option in the Authentication settings for the

corresponding connection is configured. ( Enable Quarantine Checks is a setting
in the connection profile; this setting is new and enables NAP.)
4. Verify the PEAP configuration on the wired connection profile. (Verify the EAP
method configuration, and also verify that the certificate is chained back to the
same root for validation of the server certificate.)
Once the administrator verifies that the client is configured accurately, he can use the
following steps to help identify failures and misconfigurations in the 802.1x/EAP
scenario. The administrator can start the investigation by looking at the various Wired
AutoConfig (for wired 802.1x scenarios) and Wireless AutoConfig (for wireless 802.1x
scenarios) events, particularly looking for events 15505 and/or 15514 (for wired
802.1x scenarios) and events 12013 and/or 12011 (for wireless 802.1x scenarios) in the
event log.
Events 15505 and 12011 indicate “Authentication success.”
Events 15514 and 12013 indicate “Authentication failures.” For authentication failures,
look for the reason code and reason text to help with further debugging. (The
investigation needs to continue on the NPS server.)
–Tom Kelnar
Lead Software Design Engineer, Network Access Protection
–Chris Edson
Software Development Engineer in Test, Network Access Protection
Chapter 10 Network Access Protection 335
Finally, here’s the server side of NAP 802.1X troubleshooting. Once again, Event Viewer will
be of invaluable use in determining the nature of the problem.
From the Experts: Troubleshooting the Network Policy Server for
802.1x PEAP-Based NAP
Use these instructions if you have already configured 802.1x PEAP-based NAP and have
attempted authentication, but you do not see the expected behavior on the client. It is
expected that the client-side troubleshooting procedure outlined in the previous sidebar
has already been used.
Information Gathering

Use the following steps to gather the necessary information:
1. Dump all NPS events into an Event viewer file for later analysis:
wevtutil.exe
epl System NPS.evtx /q:"*[System[Provider[@Name='NPS']
and
TimeCreated[timediff(@SystemTime) <= 86400000]]]"
Or create a custom (or filtered) view folder in the Event Viewer that displays only
the NPS events.
2. Open the Network Policy Server snap-in for examining policy configuration.
Troubleshooting Flowchart
Most 802.1x PEAP-based NAP troubleshooting is done by analyzing the Events posted
by NPS into the System event log store. Take a look at the events, and proceed along the
flowchart, referring back to the events as needed.
336 Introducing Windows Server 2008
Yes
No
Yes
Is the Network
Policy service (ias)
running?
Is NPS
generating events?
Do the events
indicate that the message
authenticator
attribute is not
valid?
Start the service
and try again
Ensure that the

Switch/Access Point
to NPS connection is
configured properly.
See Switch/AP
connection section
No
No
Ensure that the shared
secret settings match.
See Switch/AP connection
section.
This error could also
indicate problems with the
certificate selected for
use with the PEAP
Yes
No
See System Health
Validator Issues
section
See “Successful
Authentications”
section
Do the events indicate
that an error has occurred
with a System Health
Validator?
Analyze the events.
Is client authentication
failing or

succeeding?
See “Failed
Authentications”
section
Yes
Succeeding
Failing
Chapter 10 Network Access Protection 337
Switch/Access Point Connection
Several issues can prevent the switch or access point from properly communicating with
the Network Policy Server:
1. The Network Policy Server machine must have the correct ports open in the
firewall to allow the RADIUS requests through to the NPS service:
❑ UDP:1812 for authentication
❑ UDP:1813 for accounting
2. The switch or access point must be configured to forward 802.1x authentication
requests to the Network Policy Server; this includes setting the correct IP address
for the NPS machine, as well as the proper ports (for some switches).
3. The Network Policy Server must also be configured to recognize the switch or
access point; this is done by configuring a RADIUS client table entry within the
NPS snap-in, and it requires the IP address of the switch or access point.
4. The Network Policy Server and the switch or access point must both be configured
with a common “shared secret.” If the secrets do not match, they will not be able
to correctly communicate.
System Health Validator (SHV) Issues
Some common causes and paths of investigation for System Health Validator errors are
as follows:
1. Perhaps the most common cause for System Health Validator failures occurs when
the versions of Validator (server side) and System Health Agent (client side) do not
match. Always ensure that the SHV/SHA pairs in use are matching versions.

2. Another common cause for System Health Validator–related errors is a failure to
correctly register with the Network Policy Server. If this occurs, contact the SHV
developer.
3. System Health Validator errors can also appear when the Network Policy Server is
unable to load the SHV, or when the SHV terminates unexpectedly. If either of
these situations occurs, contact the SHV developer.
Failed Authentications
Failed authentications can occur for a number of reasons, many of which are not
specifically related to the NAP portion of the transaction.
Reason #1 – No matching policy
Some common causes and solutions for this reason are:
■ A client request arrived that did not exactly match any of the Network Policies
configured on the NPS. Always ensure that you have policies in place that will
338 Introducing Windows Server 2008
match all possible client requests. Or you might consider making your existing
policies slightly less specific by removing nonrequired conditions from the
policies.
■ The NPS policy configuration does not include a policy that will match “not NAP
capable” clients. When a client machine first boots, the authentication services will
start prior to the NAP Agent service, and an authentication will be performed
before health information is available. This client will therefore not match any pol-
icies with health-based conditions. Whether you grant full access with this policy
or not, it still needs to be included in the configuration. Also, know that clients will
re-authenticate once the NAP Agent service starts.
Reason #2 – User is denied access
A common cause and solutions for this reason are that, by default, the Network Policy
Server will perform an Active Directory account look-up to verify the authenticating
user’s dial-in privileges. If the user’s account does not allow dial-in access, the user will
be denied access (regardless of the NPS policy settings). If you want to grant the user
access, you can do either of the following things:

■ Ensure that the user’s account in the Active Directory is set to allow dial-in access.
■ Select the Ignore User Account Dial-in Properties box for the policy in NPS, which
allows NPS to ignore the dial-in access setting and check only whether the user
account is active in Active Directory.
Successful Authentications
Because of the possible complexities of 802.1x and the authentications it allows, there
are cases in which clients could be successfully authenticating, yet not gaining the
expected level of access.
Problem #1 – Client is NAP enabled but matches the “not NAP capable” policy
Two common reasons and solutions for this problem are:
■ Network Policy Server policy evaluation occurs in two stages: Connection Request
policies first, and then Network Policies. Because Health is a condition for Network
policy evaluation, the health data must be gathered prior to entering the Network
Policy stage. Therefore, ensure that the Connection Request Policy being used is
configured to Override Authentication and to do PEAP authentication. Also ensure
that the PEAP configuration settings include selecting the Perform Quarantine
Checks check box. Also ensure that the conditions on the Connection Request Pol-
icy are such that only requests from your switches or access points will be matched
by that policy.
Chapter 10 Network Access Protection 339
■ At client boot, the authentication services start prior to the NAP Agent. Thus, for
the first authentication, there is no health data for evaluation. Therefore, the client
will not match any policies in which health criteria are used as conditions. The cli-
ent will match only policies with the “not NAP capable” condition. However, once
the NAP Agent starts, a second authentication will be initiated, and the client will
then be able to match the expected policy.
Problem #2 – Client is placed on the wrong VLAN
The solution to this problem will vary, depending upon the switch or access point
hardware and sometimes the firmware that you are using. Consult the documentation
or support contacts for your hardware, and determine what RADIUS standard or

vendor-specific attributes need to be given to that hardware to achieve the functionality
you desire. Once you have determined the values that need to be passed to the hardware,
ensure that each policy on the Network Policy Server has these values configured in the
Profile Settings section.
–Chandra Nukala
Program Manager, Network Access Protection
–Chris Edson
Software Development Engineer in Test, Network Access Protection
Pretty cool stuff, eh? My thanks to the NAP team for contributing these insights. Product
teams tend to be especially proud of the features they develop, and NAP is obviously prouder
than most because they took the time out of their busy schedule (Ship! Ship!!) to provide this
content for my book—thanks, team!
Conclusion
I’m excited about NAP. The days of unrestricted access to Windows networks are coming to
an end, and Microsoft has displayed its ongoing commitment to its Trustworthy Computing
Initiative by developing the NAP platform that we’ve described in this chapter. And with
industry support by over a hundred different third-party ISVs and IHVs, NAP is likely to be
the dominant player in the network access platform marketplace. If you haven’t started testing
NAP, you should being doing so using the latest build of Windows Server 2008 available to
your enterprise because this is one technology you really don’t want to be without.
340 Introducing Windows Server 2008
Additional Resources
The best place to start looking for resources about NAP is the Network Access Protection
page on TechNet, which can be found at />default.mspx. There you’ll find overviews, webcasts, Live Meeting presentations, links to
Step by Step guides (which go into more detail of how to set up NAP than we could go into
in this brief chapter), and more.
The Microsoft Download Center also has great resources on NAP; just go to
and search for NAP and you’ll find many.
There’s also a TechNet Forum where you can ask questions and help others trying out NAP;
see for this

forum (Windows Live registration required).
For ISVs and IHVs who want to NAP-enable their product, the NAP APIs can be found on
MSDN at />And don’t forget to check out the NAP blog at as
this is a terrific and timely resource for all things NAP.
Finally, be sure to turn to Chapter 14, “Additional Resources,” for more sources of information
concerning NAP, and also for links to webcasts, whitepapers, blogs, newsgroups, and other
sources of information about all aspects of Windows Server 2008.
Well I’ve been working hard on this chapter, and now it’s done. So I better rest a bit and take
a nap before I start writing my next chapter. Uh-oh, another bad pun. Better stick to my day
job (IT pro) and avoid the nighttime comedy circuit.
341
Chapter 11
Internet Information Services 7.0
In this chapter:
Understanding IIS 7.0 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Additional Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .375
Watching Microsoft Internet Information Services (IIS) evolve over the last decade or so has
been exciting. While a high point for end-user experience was probably the worldwide release
of Microsoft Windows 95, for an IT pro like me, one of the high points in Windows platform
development was the Microsoft Windows NT 4.0 Option Pack release of IIS 4.0. Since then, as
the version numbers have continued to climb, IIS has evolved into the most secure, reliable,
and powerful Web application platform around. For instance, since IIS 6.0 was released on
Windows Server 2003, there hasn’t been a single critical security update for IIS. So what could
possibly be new, then, in IIS 7.0? Where can you possibly go if you’ve already reached the top?
Understanding IIS 7.0 Enhancements
Well, you can always try climbing higher. And that’s exactly what the IIS product team has
done in version 7 of IIS, which was released with Windows Vista and is being further
enhanced and fine-tuned for Windows Server 2008. Compared with the previous version (IIS
6.0), version 7 of IIS has been improved in five main areas:

■ Security and patching
■ Administration tools
■ Configuration and deployment
■ Diagnostics
■ Extensibility
Let’s examine each of these five areas of enhancement, and as we do so we’ll get a whirlwind
tour of what IIS 7.0 is all about. Sort of like the trip my wife and I made to Europe a few years
after we got married—on the left is the Eiffel Tower, on the right is the Matterhorn, over here is
the Coliseum, over there is a topless beach near Corfu. Look, the Mona Lisa in the Louvre!
Wow, we’re at the top of the dome in St. Peter’s Basilica! Wow, we’re five stories underground
in the Catacombs! Look, wow, look at that, wow, look, wow—zoom, we’re home!
342 Introducing Windows Server 2008
Sorry but that’s a bit what our tour of IIS 7.0 will be like because there’s so much to learn about
that it would really take an entire book to do this feature justice. And we’ve got only a single
chapter to do this—so let’s get started! Fortunately, we also have our tour guides (our
Microsoft experts) along for the ride to help point out some of the highlights! But like any
good tour operator, I want to map out for you where we’re going in this chapter. First we’ll
describe each of these five areas of improvement and note some of the sights worth seeing.
Along the way, we’ll briefly go inside IIS 7.0 and examine its architecture, which is more inter-
esting than a 16
th
-century cathedral (well, to a geek, anyway). Then we’ll talk about some of
the post-Vista improvements that are coming in Windows Server 2008 (though we’ll actually
mention some of these during the earlier part of our tour). And finally, I’ll talk briefly about
the Application Server role in Windows Server 2008—summarizing what it’s about and how it
ties in with IIS. And for those of you who are still unsatisfied at the end of our journey and
want to see more, I’ll list additional resources you can use to learn more about IIS 7.0 on your
own. Sound good? Fasten your seatbelts—we’re off!
Security and Patching
One thing I really like about IIS 7.0 is its new modular architecture. What this means is that

instead of IIS being a monolithic entity installed by default with only a few features available
for optional installation, IIS 7.0 now has more than 40 separate setup components you can
choose from and only a small set of these are installed by default. You can now install only IIS
features you actually need on your Web server and leave the remaining features uninstalled.
The benefits of doing this are fivefold:
■ First, your system is more secure. Why? Because the only IIS binaries installed on your
system are those you actually need. And the fewer binaries, the less attack surface there
is on your machine.
■ Second, your system is easier to service. Why? Because maintaining a server involves
keeping it patched with the latest critical updates from Microsoft. But if you have only a
subset of the available IIS modules installed on your machine, you have to patch only
those modules—you don’t have to patch modules that aren’t installed.
■ Third, your system is also easier to manage. For example, as we’ll see in a moment, if
the component supporting Basic authentication is not installed on your system, the
configuration setting for this feature won’t be present. And the fewer configuration set-
tings that are surfaced, the less clutter the admin UI has and the easier it is to manage
your server.
■ Fourth, you can customize your Web server to function in a specific role in your
environment.
Chapter 11 Internet Information Services 7.0 343
■ And fifth, you can reduce the memory footprint of your Web server by removing
unnecessary modules. As a result, the amount of memory used by worker processes on
your machine will be reduced, which can allow you to host more Web sites and Web
applications on your machine—something especially valuable in large hosting environ-
ments. Reducing the number of installed modules also means that fewer intra-process
events are occurring, so this also frees up CPU cycles as well—something that, again, is
important in hosting environments.
In addition, you can even create your own custom modules and use these to replace existing
modules or add new features to your Web server. We’ll talk about this later when we discuss
the extensibility of the IIS 7.0 platform.

The following graphic shows the IIS 7.0 components available for you to install when you add
the Web Server (IIS) role to your Windows Server 2008 machine. These components are
called modules, and you can add or remove them from the Web server engine, depending on
what you need.
The preceding illustration shows that IIS 7.0 modules are grouped into various categories of
functionality. Table 11-1 lists the different modules available in each category and provides a
short description of what they do.
Security
Application
Development
Health and
Diagnostics
FTP Publishing
Performance
Management
LegacyScripts
LegacySnap-in
Metabase
WMICompatibility
ManagementService
ManagementConsole
ManagementScripting
HTTPStaticCompression
HTTPDynamicCompression
FTPServer
FTPManagement
LoggingLibraries
RequestMonitorModule
HTTPTracingModule
ODBCLogging

HttpLoggingModule
CustomLoggingModule
ASP
ASP.NET
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
NetFxExtensibility
ISAPIModule
IPSecurityModule
UrlAuthorizationModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
RequestFilteringModule
BasicAuthModule
DigestAuthModule
StaticFileModule DefaultDocumentModule DirectoryListingModule
HttpRedirect CustomErrorModule
Common HTTP Web Server Components
ProcessModel NetFxEnvironment ConfigurationAPI
Windows Process Activation Service
344 Introducing Windows Server 2008
Ta b le 11 - 1 IIS 7.0 Modules and Their Functionality
Module Name Description
HTTP Modules
CustomErrorModule Sends default and configured HTTP error messages
when an error status code is set on a response
HttpRedirectionModule Supports configurable redirection for HTTP requests
OptionsVerbModule Provides information about allowed verbs in

response to OPTIONS verb requests
ProtocolSupportModule Performs protocol-related actions, such as setting
response headers and redirecting headers based on
configuration
RequestForwarderModule Forwards requests to external HTTP servers and
captures responses
TraceVerbModule Returns request headers in response to TRACE verb
requests
Security Modules
AnonymousAuthModule Performs Anonymous authentication when no other
authentication method succeeds
BasicAuthModule Performs Basic authentication
CertificateMappingAuthenticationModule Performs Certificate Mapping authentication using
Active Directory
DigestAuthModule Performs Digest authentication
IISCertificateMappingAuthenticationModule Performs Certificate Mapping authentication using
IIS certificate configuration
RequestFilteringModule Performs URLScan tasks, such as configuring
allowed verbs and file extensions, setting limits, and
scanning for bad character sequences
UrlAuthorizationModule Performs URL authorization
WindowsAuthModule Performs NTLM integrated authentication
Content Modules
CgiModule Executes CGI processes to build response output.
There’s also a FastCGI handler that’s installed as part
of the CGI install.
DavFSModule Sets the handler for Distributed Authoring and
Versioning (DAV) requests to the DAV handler
DefaultDocumentModule Attempts to return the default document for
requests made to the parent directory

DirectoryListingModule Lists the contents of a directory
IsapiModule Hosts ISAPI DLLs
IsapiFilterModule Supports ISAPI filter DLLs
Chapter 11 Internet Information Services 7.0 345
You can install these modules by adding role services and features to the Web Server (IIS)
role using Server Manager. (Note that some of these modules cannot be selectively installed or
uninstalled unless you uninstall the entire w3svc.) When you add the Web Server (IIS) role to
your Windows Server 2008 server, a subset of available role services and features is installed
by default (though you can also choose to add role services and features at this time or later).
ServerSideIncludeModule Processes server-side includes code
StaticF ileModule Serves static files
Compression Modules
DynamicCompressionModule Compresses responses, and applies Gzip
compression transfer coding to responses
StaticCompressionModule Performs precompression of static content
Caching Modules
FileCacheModule Provides user-mode caching for files and file
handles (required)
HTTPCacheModule Provides kernel-mode and user-mode caching in
HTTP.sys (required)
SiteCacheModule Provides user-mode caching of site information
TokenCacheModule Provides user-mode caching of user name and
token pairs for modules that produce Windows user
principals (required)
UriCacheModule Provides user mode caching of URL information
(required)
Logging and Diagnostics Modules
CustomLoggingModule Loads custom logging modules
FailedRequestsTracingModule Supports the Failed Request Tracing feature
HttpLoggingModule Passes information and processing status to

HTTP.sys for logging
RequestMonitorModule Tracks requests currently executing in worker
processes, and reports information with Runtime
Status and Control Application (RSCA)
Programming Interface
TracingModule Reports events to Microsoft Event Tracing for
Windows (ETW)
Ta b le 11 - 1
IIS 7.0 Modules and Their Functionality
Module Name Description
346 Introducing Windows Server 2008
Note in the preceding figure that the Basic Authentication role service (that is,
BasicAuthModule) is not included in a default install of the Web Server (IIS) role. Keep
this in mind, as we’ll come back to it later.
To get an idea of how “minimal” IIS 7.0 is out of the box, when you add the Web Server (IIS)
role using the defaults already selected for this role, only the following role services and the
specified subcomponents (modules) actually get installed:
■ Common HTTP
❑ Static Content
❑ Default Document
❑ Directory Browsing
❑ HTTP Errors
■ Health and Diagnostics
❑ HTTP Logging
❑ Request Monitor
Chapter 11 Internet Information Services 7.0 347
■ Security
❑ Request Filtering
■ Performance
❑ Static Content Compression

■ Management Tools
❑ IIS Management Console
Look under the Security role service in the preceding list—no Basic authentication, right?
Remember that for later.
Windows Process Activation Service
When you add the Web Server (IIS) role to your Windows Server 2008 server, you’re also
required to install a feature called Windows Process Activation Service (WPAS), together with
its three subfeatures: Process Model, .NET Environment, and Configuration APIs. WPAS man-
ages application pools and worker processes running on your machine for both HTTP and
non-HTTP requests. For example, when a protocol listener picks up a client request, WPAS
determines whether a worker process that can service the request is already running within
the application pool. If this is the case, the listener adapter passes the request to the worker
process for processing. If there isn’t a worker process running in the pool, WPAS starts a new
worker process and the listener adapter passes the request to it for processing.
WPAS also functions as a configuration manager that reads and maintains configuration
information for sites, applications, and application pools running on IIS, as well as for the
global configuration, which includes HTTP central logging and so on. In addition, WPAS
maintains the life cycle of worker processes by starting them (for example, when requests
come in), stopping them (when they idle out), monitoring their health, and recycling them
when needed.
What new functionality does WPAS provide that wasn’t there in previous IIS platforms?
Let’s hear from one of our experts:
From the Experts: Windows Process Activation Service (WPAS)
Windows Process Activation Service, also referred to as WPAS, is a new component in
IIS 7.0 that manages application pool configuration and worker processes instead of the
WWW process. This enables the same configuration for both HTTP and non-HTTP sites
to be used. Thanks to this separation (and in combination with the new modular archi-
tecture of IIS 7.0), you can even host non-HTTP sites without the WWW Service even
being installed in the first place.
What scenarios does this enable? Because WPAS is not specific to HTTP sites, you can

use WPAS to host non-HTTP sites as well. But what do we mean by “non-HTTP sites”?
348 Introducing Windows Server 2008
Well, simply put, WPAS can be used to host sites built on technologies such as Windows
Communication Foundation, for example. If you are using WCF with WPAS, are you
limited to listening over HTTP? Not at all. In fact, that is the beauty and power of WPAS.
You can be hosting a WCF service within WPAS that is using netTcpBinding, netMsm-
qBinding, and so on. As an extension to this, because WPAS supports both HTTP and
non-HTTP sites, you can be hosting a service that exposes itself over both HTTP and
NET.TCP as well.
–Jason Olson
Technical Evangelist, Windows Server 2008 Developer & Platform Evangelism
Request Processing Pipeline
The modular architecture of IIS 7.0 is also important to the way in which requests are
processed by IIS 7.0. By way of comparison, on the previous platform (IIS 6.0), you basically
had a monolithic request-processing pipeline that could have its functionality extended
through ISAPI. In IIS 7.0, however, you have all these different modules that can be plugged
into your generic request pipeline to modify how requests are processed by your server. In
addition, you have a public module API that you can use to extend your pipeline by adding
your own custom modules.
Another way of comparing the new IIS 7.0 architecture with the old one in IIS 6.0 is by
comparing how ASP.NET is integrated with IIS on these two platforms. In IIS 6.0, you basi-
cally have IIS and ASP.NET and never the twain shall meet—unless it happens via ISAPI. For
example, suppose a request comes in that needs to be processed by ASP.NET. IIS hands it off
to ASP.NET via the ISAPI extension aspnet_isapi.dll, which processes the request and returns
it to IIS. This mechanism involves feature duplication and is not very efficient. By contrast,
IIS 7.0 offers two modes of handling such requests. First, you can use the “classic” mode,
where ASP.NET runs as ISAPI just like in IIS 6.0, which is useful for compatibility reasons. And
second, you can use the new “integrated” mode, where ASP.NET and IIS are part of the same
request-processing pipeline—that is, your .NET modules and handlers plug directly into the
generic request-processing pipeline, which is much more efficient than the old model (and

provides a far easier extensibility point to program to—ISAPI is so 90s).
Other Security Enhancements
If you thought IIS 6.0 was “secure by default” (and it was, to a large degree), you should take
note of some other security enhancements included in IIS 7.0. For example, instead of the
IUSR_computername local account that was used on previous IIS platforms to provide anony-
mous access to your server, IIS 7.0 now uses a new built-in anonymous user account for this
purpose. To understand the significance of this change, let’s hear from one of our experts:
Chapter 11 Internet Information Services 7.0 349
From the Experts: Change with the IIS Anonymous User
The IUSR_<servername> account in previous versions of IIS has always been a local
account created when IIS was installed on the operating system (unless you install IIS on
a domain controller, which is not recommended). Just short of “Internet User,” the name
that IUSR is often called is anonymous user, and it’s the identity used to access content on
Web sites configured to allow Anonymous authentication. This identity has worked very
well to provide unauthenticated access on IIS, but because it is a local account, it has a
password and security identity (SID) for NTFS permissions that are unique to the local
server. As a result, certain operations involving replication of the configuration system or
file permissions (such as restoring from backup or replication between servers in a Web
farm) become challenging.
In IIS 7.0, an IUSR_<servername> local account has been replaced with the IUSR built-in
account. The difference is quite significant. A built-in account cannot be used to log in to
the server. In addition, the IUSR account has a well-known SID that is common between
all editions of Windows Vista and Windows Server 2008 that have IIS 7.0 installed. If
you configure a file to Deny Read for the IUSR account and then xcopy that file to
another IIS 7.0 server with permissions, the Deny Read permission is still valid. This
is one of the little gems that make a big difference in the life of administrators and
security specialists, but it’s not as well known as other features of IIS 7.0.
–Brett Hill
IIS Technical Evangelist, Developer and Platform Evangelism
Another security enhancement in IIS 7.0 is built-in URL filtering, which prevents suspicious

requests from being serviced by your server. Using the RequestFilteringModule module, you
can specify allowed verbs and file extensions, set character limits, and scan for bad character
sequences within a URL requested by a client. This means you no longer need to install
URLScan as a separate add-on for IIS, as this functionality is now available out of the box.
Let’s hear from another of our experts concerning this enhancement:
From the Experts: What About Using URLScan in IIS 7.0?
You don’t need URLScan in IIS 7.0. The core features of URLScan are now built into the
new Request Filtering module of IIS. In addition to the core URLScan features, Request
Filtering offers new functionality that enables you to deny access to certain segments
within the URL.
Unfortunately, there is no user interface for Request Filtering. You have to edit the
configuration files directly to use this feature. For more information on how to use
Request Filtering, see “How To Use Request Filtering,” found at />default.aspx?tabid=2&subtabid=25&i=1040 on IIS.NET.
350 Introducing Windows Server 2008
If you have a large library of expressions you want to block and you don’t want to add
each of these expressions into the new configuration files, you might still want to use
URLScan version 2.5 with IIS 7.0. You can do this, but the installer for URLScan version
2.5 does not work on Windows Vista or Windows Server 2008. To work around this
issue, copy urlscan.dll and urlscan.ini to the Web Server running IIS 7.0 and then set up
urlscan.dll as a global ISAPI filter in IIS.
–Tim Elhajj
Technical Writer
Another security enhancement is the ability to use .NET role and membership providers
for authenticating users trying to access the server. You can also easily enable Forms
authentication for any content on your server.
IIS 7.0 also includes an enhanced process model that automatically sandboxes applications
on your server. For example, when you create a new Web site on your server, process isolation
is enabled for this site by default. In other words, by default each new site you create is
assigned to its own unique application pool (see Figure 11-1). By default, these application
pools all run as Network Service, and each application pool also has its own separate, scoped

configuration file that is created at run time.
Figure 11-1 Creating a new Web site also creates a new application pool by default
IIS 7.0 also includes a rich delegation infrastructure that lets server administrators create site
and application administrators who can administer only designated sites and applications. In
addition, you can configure which features of a Web site or Web application to delegate to
these different levels of administrators without having to give them full control of the server.
Chapter 11 Internet Information Services 7.0 351
Administration Tools
In addition to having minimized surface area, patching through a componentized
architecture, and fully customizable installation options (wow, the Eiffel Tower!), IIS 7.0
also includes a raft of new feature-focused administration tools that can be used to efficiently
manage Web servers, sites, and applications—including both IIS and ASP.NET configuration
settings from the same place. Let’s look at these tools now—but it’s only a quick look, so
have your cameras ready!
IIS Manager
IIS Manager has been totally revamped in IIS 7.0 to make it more intuitive for those using it. IIS
Manager is also more task-oriented than in previous versions of IIS and the “property sheet
purgatory” and “tab hell” of IIS 6.0 (actually, it wasn’t that bad) has been replaced with icons
and a new context-sensitive MMC 3.0 Actions pane (which actually is a lot better!) as you can
see in this figure:
Remember I told you previously that the Basic Authentication module is not installed in a
default Web Server (IIS) role installation? Well, if you now select the icon for the Authentica-
tion feature (the first one in the IIS section of the Details pane in the preceding figure) and
click Open Feature in the Actions pane, you get a list of authentication settings you can
configure for your Web server:
352 Introducing Windows Server 2008
Note that there’s no option available for configuring Basic authentication for your Web server.
Why not? Because the binaries of that particular component aren’t even installed! In other
words, the only configuration options you’re presented with are those supported by modules
already installed on your server. That certainly makes administration a lot easier than the

previous platform of IIS 6.0, where you had all those property sheets, tabs, and settings.
How can you make Basic Auth available for applications running on your server? Well, you
just go back to Server Manager, right-click on the Web Server (IIS) role, and select Add Role
Services to start the Add Role Services Wizard again. Then, in the wizard, you select the check
box for Basic Auth and finish the wizard, and the component gets installed. Then, if you open
the Authentication feature in IIS Manager, you get this:
Basic Auth is now installed. Of course, it’s also disabled by default and you have to enable it
if you want to use it on your server. You might have to restart IIS Manager to make the new
setting visible.
Chapter 11 Internet Information Services 7.0 353
The configuration options (icons) you see in IIS Manager depend on the node you select in the
console tree in the left pane. For example, if you select a Web site, you get options like these:
If you select any of the icons in the preceding figure, the center Details pane displays settings
and might allow you to configure them, while the Action pane at the right gives you a quick
way to perform common tasks relating to these settings. For example, if you open the Logging
feature, the configuration settings look like this:
354 Introducing Windows Server 2008
Obviously, we could spend a lot of time exploring all the different settings you can configure
and tasks you can perform using IIS Manager, but we need to move on (look, the Coliseum!)
and look at some other ways of administering IIS 7.0. But first a quick word from our
sponsor—I mean tour guide—I mean expert:
From the Experts: Configuring a UI Feature in IIS 7.0
You might want to configure a UI feature in IIS 7.0 that you don’t see in the UI.
There are several possible reasons for this situation. First, if you are running IIS 7.0 on
Windows Vista, make sure that the feature you are trying to configure is available. Some
features that are available for configuration in Windows Vista do not appear in the UI.
You can configure supported features by using other methods—such as appcmd or WMI
scripts—or by editing the configuration files directly.
Second, you might not have the feature installed on your Web server. If the feature is not
installed, you will not see it in the UI.

Third, if you are running Windows Server 2008 and are connected to a site or an
application, you will not see features in the UI unless they have been delegated to that
site or application. Additionally, the ability to actually configure a feature that you see in
the UI depends on whether the feature was delegated as Read Only or as Read/Write.
For information about IIS 7.0, including additional information about these issues, see
.
–Reagan Templin
IIS Technical Writer
AppCmd.exe
Remember all the administration scripts that were included with IIS 6.0 so that you could
administer it from the command line? These included iisweb.vbs, iisvdir.vbs, iiscnfg.vbs,
iisback.vbs, iisext.vbs, and so on. They were a great way of administering IIS 6.0, but they
could hardly be called an integrated solution to managing your Web server from the
command line.
Well, in IIS 7.0 all those scripts have been done away with (though you can still write your
own scripts using the WMI provider for IIS 7.0) and have been replaced by a single command-
line tool. AppCmd.exe now gives you a single, unified command-line interface for managing
Chapter 11 Internet Information Services 7.0 355
virtually all aspects of your Web server, including sites, applications, application pools, worker
processes, and so on. Here’s a quick look at the upper-level syntax of this command:
C:\Windows\System32\inetsrv>appcmd /?
General purpose IIS command line administration tool.APPCMD (command) (object-type)
<identifier> </parameter1:value1 >
Supported object types:
SITE Administration of virtual sites
APP Administration of applications
VDIR Administration of virtual directories
APPPOOL Administration of application pools
CONFIG Administration of general configuration sections
WP Administration of worker processes

REQUEST Administration of HTTP requests
MODULE Administration of server modules
BACKUP Administration of server configuration backups
TRACE Working with failed request trace logs

(To list commands supported by each object use /?, e.g. 'appcmd.exe site /?')
General parameters:
/? Display context-sensitive help message.
/text<:value> Generate output in text format (default).
/text:* shows all object properties in detail view.
/text:<attr> shows the value of the specified
attribute for each object.
/xml Generate output in XML format.
Use this to produce output that can be sent to another
command running in /in mode.
/in or - Read and operate on XML input from standard input.
Use this to operate on input produced by another
command running in /xml mode.
/config<:*> Show configuration for displayed objects.
/config:* also includes inherited configuration.
/metadata Show configuration metadata when displaying configuration.
/commit Set config path where configuration changes are saved.
Can specify either a specific configuration path, "site",
"app", or "url" to save to the appropriate portion of the
path being edited by the command, or "apphost", "webroot",
or "machine" for the corresponding configuration level.
/debug Show debugging information for command execution.
Let’s use AppCmd.exe to view a list of Web sites on our server:
C:\Windows\System32\inetsrv>appcmd list site
SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)